Cyber crime in travel – while the cat’s away the devils will play

Travel brands have progressed from the original basic website offerings to the sophisticated all-encompassing experiences we see on some of the leading providers’ sites these days.

The sector has enjoyed the growth in data availability, including open data, and the mature tools used to mine that data to bring out the best results in sales and marketing.

NB: This is a viewpoint by Simon Freeman, CEO of Fresh Skies.

In parallel with this revolution in online capability, we have seen regulations grow to protect your customers. Data protection and what you can and cannot use data for and who you can share it with are relatively comprehensive.

But there is a darker side to the internet. It’s relatively simple. If you can use those tools and data to drive better results, guess what, so can the criminals out there. What’s more, they are better equipped, better funded and do not have to worry about regulation.

It is no surprise that conventional crime is dropping -when crime is far easier to do online.

Think back to the days of yesteryear when people did not need to lock their doors, and left cars unlocked, and it was all fine. Things are not that way anymore. People lock their doors now and car protection has become very sophisticated.

But online, most people are still doing the equivalent of leaving their back doors open. In the good ole days, if you were going to be robbed, someone would break into your house and steal your possessions.

Hopefully, you would not be in. But criminals are now able to use the same tools as you to improve their results. Their ability to use data to improve ‘outcomes’ is readily available today.

Don’t believe me and think I am exaggerating? Then follow this scenario.

Real world

Customer books a hotel and flight on one of the many popular travel sites for six weeks time. To book, the customer must enter an email address and password, put in some personal details (address) and contact details, then pay using a credit card.

All good.

In fact, the company is very security conscious and their web site is protected by SSL (https://) and shows the padlock on the browser. Why? Because it would be deemed madness to send data such as the above over the web unprotected.

What happens next may be a little surprising. Some travel sites send you a welcome email and – worse – some actually put your password in it.

Think about it. Your web site would NEVER be live without that protection, but you just emailed the user ID (the email address) and the password in clear.

Even if you do not email the password initially, 99% of sites rely upon a forgotten password process that involves entering the email address and having it send you your password. In an email. In clear. Unprotected. Get the point? You spend all the money protecting the data on the web site transaction – then send it over exactly the same pipes with the same threat in an email unprotected.

If you do not think this is a viable threat, go ahead, talk to your IT guys and ask them to remove SSL (https://) from your web site.

But the problem is not over yet. As a result of the booking, the travel web site sends the customer confirmation of the booking and itinerary in an email. In clear.

It contains the name, the email address, the telephone number (why?), the dates and times the customer will be away.

Why is this a problem? Because email is insecure. It travels across the internet unprotected (in clear text) and can be read by ANYONE while in transit who has access to any of the delivery stages or pipes.

This is very unlikely, I hear you say.

Something else

Okay, so go switch off SSL on your web site then. The threat is exactly the same. You cannot defend one position but not the other. It is like saying beer drunk from a straight glass is good for you but drink the beer from a jug glass and the same beer is suddenly bad for you.


So let’s pretend the organised criminals have access to an email hosting company’s email servers (corrupt IT guy?) or have sniffers on the pipes, or have access to the servers directly through hacking. They can now have access to all the travel itineraries of anyone who has email hosted with them.

As a criminal, I now have your email address, your telephone number and know when you will be away from home. But I need your address. Well, I can reset your travel web site password (I have access to your email, don’t forget) and get your password – and then log in and get your address.

If I am unable to get your address, all is not lost. Many people have their own domain names. I can use the various WhoIs databases that are publicly available on the net to see who owns the email domain name. It will give the criminal an address and perhaps a telephone number.

If that does not work, it will give them the company who owns the domain and they can go search on the internet with Google or business web sites. Use companies house data (public) or the businesses’ own web site address etc.

They won’t find everyone.

It gets scarier still

But let’s say that of the 300,000 people whose emails they can read 50% will book a holiday and 10% of those will have addresses easy to find. That’s 15,000 people. They know when they are on holiday and where they live. But let’s not stop there.

Let’s go to and look up the name and address and, hey presto, it tells us who else lives at that address. If there are only the people on the itinerary listed then the criminal can have more assurance that house will be empty on those dates.

Next, a quick trip to Google Maps, type in the address and look at street view at the front of your property. No alarm showing. Nice. They can see your doors and windows and with satellite view they can see access around the back, whether you are overlooked.

They can find out who your neighbours are through the same They can look up the value of your house from Zoopla, see the layout of your house, the size, the number of bedrooms and where they are, the size of your garden (Google) and so on.

Then head, for example, to the UK’s Land Registry and get details of your house. Do you own it?

It can in some cases tell them the amount of mortgage you have outstanding and the bank you have that loan with.

Feed all this data into clever data analytics tools from the warmth of their own bed in, let’s say, in a Far-Eastern country well out of harms way. Then sell the data to local interested parties who now have a list of significant numbers of people who live alone, have no alarm, in expensive houses (who take expensive holidays because we can see your destination) and – most importantly – when you are away.

Apart from the travel itinerary, all other data is publicly available today. It is used by organisations such as yourselves to improve your marketing and advertising targeting. For criminals it is used to reduce risk of capture and improve results.

The IT industry has done a great job of securing the internet and then left a critical piece, email, wide open.

Email travels the world in clear and there is a strong possibility that your firm sends very important customer data in clear in emails that you would not dream of allowing on your web site transactions.

Cyber crime is growing. Are you part of the problem?

NB: This is a viewpoint by Simon Freeman, CEO of Fresh Skies.

NB2: Cyber crime image via Shutterstock.

Share on FacebookTweet about this on TwitterShare on LinkedInEmail to someone

About the Writer :: Viewpoints

A founding principle of tnooz was a diversity of viewpoints from across the spectrum. Viewpoints are articles by guest contributors from around the travel and hospitality industries. The views expressed are those of the author. and do not necessarily reflect those of the author's employer, or tnooz and its partners.



  1. Neeraj Ajmera

    Get 100Gb free space with surdoc tru privacy security policy

  2. Alexandra B

    This is a very vivid example! I’ve read a while back that people get robbed while they’re out of the house for a grocery trip or a coffee shop stop because they’ve used Twitter to announce it to the world or checked-in at one of those locations on Foursquare. Agree that email needs better protection these days. The thing that made it so easy to use is now something that’s making it so vulnerable!


Newsletter Subscription

Please subscribe now to Tnooz’s FREE daily newsletter.

This lively package of news and information from Tnooz’s web site provides a convenient digest of what’s happening in technology that drives the global travel, tourism and hospitality market.

  • Cancel